'Your data or your life'

Comment The greatest president in American history, Abraham Lincoln, is credited with uttering one of the finest sayings about human nature ever expressed: "You may fool all the people some of the time; you can even fool some of the people all the time; but you can't fool all of the people all the time." Folks in Lincoln's time seemed to be experts at fooling each other, so I'm sure Abe was speaking from experience and direct observation.

Lately I've been immersing myself in Shelby Foote's magisterial epic, The Civil War: A Narrative, Vol. 1: Fort Sumter to Perryville, and in it, Foote details several instances that occurred during the Civil War that bear out Lincoln's observation. Too often, though, the trickery works long enough for those doing the fooling to achieve their ends... and those being fooled to be taken for everything they're worth.

John Bankhead Magruder was a Confederate general who needed to convince the Federal army - headed by the notoriously cunctative general George McClellan - that it was facing a much larger Confederate force than it suspected. Foote explains how Magruder accomplished his task:

No wheeze was too old for Magruder to employ it. One morning he sent a column along a road that was heavily wooded except for a single gap in plain view of the enemy outposts. All day the gray files swept past in seemingly endless array, an army gathering in thousands among the pines for an offensive. They were no such thing, of course. Like a low-budgeted theatrical director producing the effect with an army of supernumeraries, Magruder was marching a single battalion round and around, past the gap, then around under cover, and past the gap again.

Magruder's ruse worked, helping the overly cautious McClellan to find yet another reason to delay his attack. Of course, Magruder's trick pales in comparison to the stunt that Pierre Gustave Toutant de Beauregard - another Confederate general, easily possessed of the most colorful name of any soldier on either side of the War - pulled against the Union armies commanded by the unimaginative Henry Halleck. Beauregard and his men were forced to retreat from their supply base in Corinth, Mississippi, but they needed to keep the retreat from turning into a rout. They needed, in other words, to hide from Halleck and the Northerners that a retreat was under way. According to Foote, here's how the wily Southerners did it:

When [Beauregard's men] stole out of the entrenchments [at Corinth] after nightfall, they left dummy guns in the embrasures and dummy cannoneers to serve them, fashioned by stuffing ragged uniforms with straw. A single band moved up and down the deserted works, pausing at scattered points to play retreat, tattoo, and taps. Campfires were left burning, with a supply of wood alongside each for the drummer boys who stayed behind to stoke them and beat reveille next morning. All night a train of empty cars rattled back and forth along the tracks through Corinth, stopping at frequent intervals to blow its whistle, the signal for a special detail of leather-lunged soldiers to cheer with all their might. The hope was that this would not only cover the incidental sounds of the withdrawal, but would also lead the Federals to believe that the town's defenders were being heavily reinforced.

It worked to perfection. Daylight showed "dense black smoke in clouds," but no sign of the enemy Pope expected to find massed in his front. Picking his way forward he came upon dummy guns and dummy cannoneers, some with broad grins painted on. Otherwise the works were deserted.

Inside men, in an IT world

It seems that modern cyber-criminals have learned a thing or two from the Confederates of old. No subterfuge is too old not to see itself reborn in a modern setting, and it seems that while you can't fool all the people all the time, sometimes fooling people enough of the time will still net a bad guy plenty of money.

Sumitomo Mitsui is one of the larger Japanese banks, and as such it has branches around the world, one of them in London. Last year, Sumitomo Mitsui was nearly the victim of the largest bank robbery in history: nearly half a billion dollars. Yes, you read that right. Thieves nearly made away with $440m, but were foiled by police before the heist could be completed. How did it happen? It was an inside job, of course.

The robbers disguised themselves as janitors and then, with the help of a security guard on staff, surreptitiously placed hardware keystroke loggers between the keyboards and PCs of certain employees' computers. And which ones would those be? They were the machines used by the help desk employees, naturally, and those used by the employees in charge of wire transfers over the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, which links over 7,800 financial institutions across 202 countries and transfers more than six trillion US dollars every day. A short time later, the bad guys had captured the admin passwords needed for remote access to the bank's other machines, along with the necessary logins and passwords to begin transferring money to the financial accounts of their choosing. Let the looting begin!

Full details are still scarce, but somehow the authorities were alerted in time and the big pinch was prevented. You still have to admire the brazenness of the criminals who dreamt this up, and shake your head at the lousy physical security practiced at the London branch of Sumitomo Mitsui.

The bank is pretty sure it won't see a repeat of this particular crime again, by the way, as they've adopted a low tech solution to a high tech problem. Now, the connectors of all keyboards are superglued to the backs of their PCs. Got a bad keyboard? Dude, you're gettin' a Dell!

Ruthless people...and your data

The practice of holding valuable people or objects for ransom stretches back into the earliest records of human history. Recently, though, the internet has allowed criminals to hold things for ransom without the need for their physical presence. Dubbed "ransomware," this is a new type of Trojan horse that, once run by a patsy, threatens the loss of data unless money is coughed up...fast.

In March, Cryzip appeared. Cryzip archives the victim's Word, Excel, PDF, and JPEG files into a zip file protected by a password known only to the miscreant. Instructions are provided that order the unfortunate computer user to pay $300 using one of 99 E-Gold accounts to obtain the decryption password. While I'm sure that many of my readers would roll their sleeves up and gladly jump into the challenge of breaking the password used to generate that zip file, you will definitely agree that this would freak out most normal computer Windows users.<

Ransom-A is even newer, and it introduces a new wrinkle: once run, Ransom-A freezes the computer. A message pops up, informing the poor sucker that he must send $10.99 via Western Union, or a file will be deleted every 30 minutes. Your first thought might be, "Only $10.99? Man, crackers are working cheap these days!", but you have to admit that this would completely terrify Mom and Dad. What would they do?

The internet has made it easy to keep in touch, share files, and now, hold people's computers hostage from a continent away. I'll be interested to see what new ransom schemes appear in the coming years.

In fact, there are many instances of people who make their day-to-day living buying virtual property that exists only in online game worlds - magical swords, huge castles, gold pieces, even the very characters that users play - and then reselling them to other players on eBay or other auction sites for real dollars and cents. Julian Dibbell (another fascinating writer on this subject) made $1,000 in three weeks selling items from the game Ultima Online. In his best month he made $3,917, which works out to about $47,000 a year, which ain't too bad for stuff that doesn't really exist. But that's nothing compared to some of the real high-rollers.

Jennifer Grinnell sells digital clothing and "skins" to players in the Second Life video game. It's now a full-time job that nets her over four times what she earned as a furniture delivery dispatcher in Michigan. Anshe Chung buys up island properties in Second Life and then rents out space to other players, who build virtual homes and businesses on them. She makes more than $150,000 a year as a virtual landlord. This same idea led Jon Jacobs to spend $100,000 USD - yes, that's 100 large ones in real US dollars - on a space station in the game Project Entropia. His purchase gives Jacobs the right to set taxes on mining and hunting inside the game, as well as collect a fee from the lucky company that buys the space station naming rights. And that doesn't even include all the money he'll make selling shopping mall deeds, plots of "land," and ads on the billboards that dot the station's interior.

It's gotten to the point where Sony set up its own auction site for players of EverQuest II to buy and sell game property (thus allowing the company to make a cut on all transactions, of course). And as further weird amalgamations of virtual and real economies occur, we now have computer sweatshops appearing in China and Mexico, in which young men are paid a few dollars per day (or less) to sit and play games like World of Warcraft and EverQuest for about 12 hours a day, performing often mind-numbing tasks in order to create virtual wealth. The bosses that pay these young men then turn around and sell that virtual property to gamers in the real world, at fantastically higher rates. They earn real money that exists outside the virtual world.

It was therefore inevitable that bad guys would see an opportunity to steal money in settings like this. Now someone has. The most popular of these MMORPGs (Massively Multiplayer Online Role-Playing Games) is undoubtedly World of Warcraft, with over six million players worldwide. A few days ago, it was reported that a new Trojan has appeared on the scene: PWS.Win32.WOW.x. Spread via email, IM, and Peer2Peer file sharing - and gamers tend to do a lot of each of these - as well as through our old friend the malicious pop-up ad that exploits Internet Explorer vulnerabilities (and you knowyou shouldn't be using IE, but perhaps you are a masochist), this Trojan is brilliant in its limited, precise scope. Once installed, Win32.WOW tries to steal a World of Warcraft user's name and password. Armed with that information, the criminal logs in to the user's online Warcraft account, transfers all the player's virtual property to an avatar controlled by the attacker, and then sells the property on a gray-market auction site for real money. By the time the player figures out what has happened, their character is denuded of all his goodies and the villain in this story is long gone.

This misdeed isn't necessarily going to net the attackers a lot of money, though it may in certain cases. It's a low risk crime that is easy to run and probably works in many cases. Not to mention - and I hate saying this, but I'm sure it's true - it's probably a lot of fun as well. As we see more collisions between virtual and earth-bound economies, in which money moves between these two worlds, I guarantee we're going to see more attacks of this sort.

In one sense, all three of the criminal attacks I've discussed aren't original. In the case of Sumitomo Mitsui, the attackers used inside access, disguise, and keyloggers, while the perpetrators of ransomware use the same threat victims have heard for millenia: "Your money or your life!" Just substitute "data" for "life," and you're now in the 21st century.

Finally, the World of Warcraft Trojan is... well, a Trojan horse, and we know how old that is. Couple that with simple theft, and what seems shockingly new is revealed as a trick about the same quality as Magruder sending his men marching around and around to be seen through a gap in the pine trees: an "old wheeze". It took four years of blood and suffering to finally beat the Confederates; unfortunately, But IT security is just getting started. I have the feeling we're going to be dealing with the ramifications of these dirty tricks for a long, long time.